We all know that when programming with a small or large team, having a revision control in place is mandatory. We can choose from a number of revision control systems. The following ones are in widespread use worldwide:

CVS

Was one of the first revision control systems, and is therefore very simple, but can still be used for backing up files.

SVN

Subversion is one of the most widespread revision control systems today.

GIT

Was created by Linus Torvals and its main feature is its decentralized code view.

Mercurial

Is very similar to Git, but somewhat faster and simpler.

Bazaar

Similar to Git and Mercurial, but easier.

In this article we’ll take a look at a different revision control systems accessible over the HTTP/HTTPS and what we can gain from it. We all know that most revision control systems can be configured to be accessible over proprietary protocols, SSH, HTTP, etc. We also know that most of the times we need to posses the username and password to get access to the SSH protected Git for example. But HTTP/HTTPS a protocol where everything would be strictly protected by default; in HTTP/HTTPS we must intentionally protect the directory where a revision control system lives to protect it from unauthorized use. This is why we’ll take a look at what we can do with publicly accessible (over HTTP) revision control systems.

2. Getting Usable Info from SVN Repository

If we Google for a string presented in the picture below, the results containing publicly available SVN revision control systems using HTTP as transport protocol are shown. The searching string first looks for “.svn” directories with title strings “Index of”. If we search with only “.svn” search criterion, only irrelevant search results are found.

In the picture above we can see that the search query found two publicly accessible SVN systems:

– http://neo-layout.org/.svn/

– http://trafficbonus.com/.svn/

If we try to access one of those links, the SVN directory is presented to us as shown below:

In the .svn/ directory we can see standard SVN files and folders. This usually happens because the DocumentRoot (the web page) is part of the svn repository, which also contains the folder .svn/ that is not appropriately protected. The .svn/ directory holds administrative data about that working directory to keep a revision of each of the files and folders contained in the repository, as well as other stuff. The entries file is the most important file in the .svn directory, because it contains information about every resource in a working copy directory. It keeps information about almost anything a subversion client is interested in.

What happens if we try to checkout the project? We can see that in the output below:

We can see that we can’t checkout the project, which makes sense, because we’re trying to checkout the ./svn folder itself. We should checkout the root of the project, which is the /. If we try that, we get the output below:

We’re not communicating with the SVN repository, but with Apache instead: notice the 200 status OK code. We can’t really checkout the project in a normal way. But let’s not despair, we can still download the project manually by right-clicking every file and saving it on our disk or writing a command that does that automatically for us. We can do that with wget command as follows:

# wget -m -I .svn http://neo-layout.org/.svn/

This will successfully download the svn repository as can be seen here:

The directory neo-layout.org/ was created, which contains the important directory .svn, which in turn contains the entries file. Afterward we can cd into the working directory and issue SVN commands. An example of executing svn status is shown below:

The first column in the output above indicates whether an item was added, deleted or otherwise changed. We can get a whole list of supported characters that indicate file status here. All of the listed files are missing, because we didn’t really checkout the repository but downloaded it with wget. But nevertheless we found out quite a lot about the actual files residing in the repository. Hm, maybe those files are actually accessible in the Apache DocumentRoot directory. Let’s try to access stylesheet_ie7.css which should be present.

In the picture above we can see the representation of file stylesheet_ie7.css, which is indeed present in the DocumentRoot. We could have bruteforced the name of that file with DirBuster, but this is indeed easier and more accurate. We can try to download other files as well, which might provide us with quite more intel.

Let’s also try to run svn update:

# svn update
svn: Unable to open an ra_local session to URL
svn: Unable to open repository 'file:///sol/svn/neo/www'

We were of course unable to execute that command successfully, but something interesting popped up. The name of the folder which holds the actual repository is /sol/svn/neo/www. The svn info command provides additional information about the repository:

Notice the author and the last changed revision number and last changed date. That’s quite something.

3. Getting Usable Info from GIT Repository

This is inherently the same as with SVN repositories, but let’s discuss the Git repositories a little further. We can use the same search query “.git” with “intitle: index of”, which will search for all indexed .git repositories online. The picture below shows such a query made against Google search engine:

Among many of the publicly accessible .git repositories, the following two were the first ones:

Let’s again try to checkout the repository. We can do that with the git clone command as shown below:

# git clone http://www.claytonking.com/.git/
Cloning into 'www.claytonking.com'...
fatal: http://www.claytonking.com/.git/info/refs not valid: is this a git repository?

We are again not successful in cloning the repository, because of the same reason as with SVN repositories, the actual repository is the Apache DocumentRoot directory. If we try to clone from that repository we’re not successful:

# git clone http://www.claytonking.com/
Cloning into 'www.claytonking.com'...
fatal: http://www.claytonking.com/info/refs not valid: is this a git repository

Nevermind, we’ll use the same approach as we did with SVN repositories: with wget command as follows:

The wget command failed to download the .git directory. Why? We can quickly find out that access to that directory is denied as can be seen in the picture below:

So that repository is properly secured against our attack. Let’s try another repository located at http://www.bjphp.org/.git/. If we try to open it in a web browser, it opens up successfully, which means that the wget command will also succeed. The following picture presents accessing the .git/ repository at host www.bjphp.org:

To download the repository we can execute the following command:

# wget -m -I .git http://www.bjphp.org/.git/

Once the repository is downloaded, we can cd into it and issue git commands. Note that the repository is quite big, so it will take some time to be fully downloaded.

If we try to execute git status we get an error about a bad HEAD object:

# git status
fatal: bad object HEAD

But we should be able to execute git status command, since all the information is contained in the .git/ folder. First we need to correct the HEAD pointer to point to the latest commit. We can do that by changing the .git/refs/heads/master and replacing the non-existing hash with an existing one. All the hashes can be found by executing the command below:

The output was truncated, but we can still see six hashes that we can use. Let’s put the last hash 86f0ae6bb797bf29700cb1d0d93e5e30a4e72b into the .git/refs/heads/master file and then execute the git status command:

The command obviously succeeded, it printed the modified, added, and deleted files at a point of the 86f0ae6bb797bf29700cb1d0d93e5e30a4e72b commit. Nevertheless we can find out that the site is running WordPress and all of the filenames are also printed. Afterward we can easily find out the name of the plugins the website is using with the command below:

We could have written a better sed query, but it works for our example. If we try to access one of the listed files in web browser, we can see that the files are indeed accessible as can be seen below:

4. Conclusion

We’ve seen how to pull various information from SVN and GIT repositories, but we could easily have done the same with other repository types. Having a repository publicly accessible can even lead to a total website defacement if a certain filename is found that contains all the passwords that are accessible via the web browser.

To protect ourselves we should never leave unprotected .git/ repositories online for everyone to see. We should at least write a corresponding .htaccess file to provide at least some protection.

Dejan Lukan is a security researcher for InfoSec Institute and penetration tester from Slovenia. He is very interested in finding new bugs in real world software products with source code analysis, fuzzing and reverse engineering. He also has a great passion for developing his own simple scripts for security related problems and learning about new hacking techniques. He knows a great deal about programming languages, as he can write in couple of dozen of them. His passion is also Antivirus bypassing techniques, malware research and operating systems, mainly Linux, Windows and BSD. He also has his own blog available here: http://www.proteansec.com/.

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam